0
Mobile Security

Intense overview of mobile
security threat


     prepared by Fabio Pietrosanti,
               CTO @ Pri...
Mobile S
M bil Security
           it

  Introduction




Mobile Security - Fabio Pietrosanti - www.privatewave.com   2
Introduction

      Mobile phones today
        bil   h       d
   Mobile phones have changed our life in the past
    15...
Introduction

Mobile phones today




   Mobile Security - Fabio Pietrosanti - www.privatewave.com   4
Introduction

     It’s something personal
               hi          l

   Mobile phones have become
    the
    th most...
Introduction
    It’s
    It’ something critical
            thi     iti l
 phone call l
   h       ll logs              ...
Mobile S
 M bil Security
            it


Difference between
mobile security & IT
             y
      security



  Mobil...
Difference between mobile security & IT
                   Security
             Too much trust
   Trust between operator...
Difference between mobile security & IT
                   Security
    Too difficult to deal with
   Low level communica...
Difference between mobile security & IT
                   Security
            Too many sw/hw
            T           /h
...
Difference between mobile security & IT
                    Security
Vulnerability management
    Patching mobile operati...
Difference between mobile security & IT
                     Security
               Vulnerability count
               V ...
Mobile Security


Mobile Device Security




   Mobile Security - Fabio Pietrosanti - www.privatewave.com   13
Mobile Device Security
           Devices access and
               authority
   All those subject share authority on the...
Mobile Device Security
    Reduced security by hw
           design
   Poor keyboard ->
   Poor password

Type a passphr...
Mobile Device Security
       Reduced security by hw
              design
   Poor screen, poor control

   User diagnost...
Mobile Device Security
    Mobile security model –
          old school
   Windows Mobile and Blackberry application
    ...
Mobile Device Security

    Mobile security model –
    old school but Enterprise
   Windows Mobile 6.1 (SCMDM) and Black...
Mobile Device Security
    Mobile security model –
            iPhone
   Heritage of OS X Security model
   Centralized ...
Mobile Device Security
    Mobile security model –
      Android / Symbian
   Sandbox based approach (data caging)
   Us...
Mobile Device Security

            Brew & NucleOS
            B      N l OS

   Application is provided *exclusively* fr...
Mobile Device Security
    Development language
           security
   Development l
    D     l        t language/sdk se...
Mobile Security
              y


Mobile Hacking
      &
 Attack vector



Mobile Security - Fabio Pietrosanti - www.priva...
Mobile Hacking & Attack Vector
    Mobile security research

   Mobile security research exponentially
    increased in p...
Mobile Hacking & Attack Vector
Mobile security research -
          2008
    DEFCON 16 - Taking Back your Cellphone Alexa...
Mobile Hacking & Attack Vector
          Mobile security
         research 2009 (1)
   ShmooCon Building an All-Channel B...
Mobile Hacking & Attack Vector
         Mobile security
        research 2009 (2)
   DEFCON 17 Hacking WITH the iPod Touc...
Mobile Hacking & Attack Vector
         Mobile security
        research 2009 (3)
   EuSecWest - Pwning your grandmother'...
Mobile Hacking & Attack Vector

              Attack layers
                     la ers
   Mobile is attacked at followin...
Mobile Hacking & Attack Vector

     Link layer security - GSM
   GSM has been cracked with
    2k USD hw equipment
     ...
Mobile Hacking & Attack Vector

    Link layer security - UMTS
   1°UMTS (Kasumi) cracking paper
    by Israel s Weizmann...
Mobile Hacking & Attack Vector

    Link layer security – WiFi
   All known attacks about WiFi
      R
       Rogue AP D...
Mobile Hacking & Attack Vector
   Link layer security
Rouge operators roaming
   Telecommunication operators are trusted
...
Mobile Hacking & Attack Vector

                MMS security
   Good delivery system for malware (binary mime encoded
   ...
Mobile Hacking & Attack Vector

             SMS security (1)
   Only 160byte per SMS (concatenation support)
   CLI spo...
Mobile Hacking & Attack Vector

        SMS security (2)
Easy social engineering for provisioning SMS




Thanks to Mobile...
Mobile Hacking & Attack Vector

                Bluetooth
                Bl t th (1)
  Bluetooth spamming (they call it,...
Mobile Hacking & Attack Vector

                     Bluetooth (2)
  Bluetooth encryption has been cracked
http://news.te...
Mobile Hacking & Attack Vector

            NFC – what’s that?
   Near Field Communications
      Diffused in Far East (...
Mobile Hacking & Attack Vector

              NFC – example use
                         l
   NFC Ticketing (Vienna’s pub...
Mobile Hacking & Attack Vector

               NFC - security
   EUSecWest 2008: Hacking NFC mobile p
                   ...
Mobile Hacking & Attack Vector
           Mobile Web Security -
                   WAP
   HTTPS i considered a secure pro...
Mobile Hacking & Attack Vector
     Mobile Web Security –
             WEB
   Most issues in end-to-end security
   Atta...
Mobile Hacking & Attack Vector
     Mobile Web Security –
           WEB/SSL
   SSL is the basic security system used in ...
Mobile Hacking & Attack Vector
         Mobile Web Security –
                SSL UI
   Mobile
    M bil UI are not coher...
Mobile Hacking & Attack Vector
         Mobile Web Security –
Tnx to Rsnake & Masabi SSL UI




        Mobile Security - ...
Mobile Hacking & Attack Vector

                      Mobile VPN
   Mobile devices often need to access
    corporate net...
Mobile Hacking & Attack Vector
            Voice interception
   Voice interception is the most known and
               ...
Mobile Hacking & Attack Vector
     Location Based Services or
           Location Based
          Intelligence? (1)
   N...
Mobile Hacking & Attack Vector
     Location Based Services or
           Location Based
          Intelligence? (2)
   H...
Mobile Hacking & Attack Vector
             Mobile malware -
                spyware
   Commercial spyware focus on infor...
Mobile Hacking & Attack Vector
             Mobile malware –
              virus/worm (1)
   Worm
     Still no cross-pl...
Mobile Hacking & Attack Vector
             Mobile malware –
              virus/worm (2)
   Malware full feature list
  ...
Mobile Hacking & Attack Vector
           Mobile Forensics
   It's not just taking down SMS, photos
    and addressbook, ...
Mobile Hacking & Attack Vector
               Extension of
               organization:
               The operator
   Mo...
Mobile Hacking & Attack Vector
          Some near future
             scenarios
   Real diffusion of cross-platform troj...
Mobile Security
                    y


 The economic risks
TLC & Financial frauds



       Mobile Security - Fabio Pietr...
The economic risks
          Basic of phone fraud
   Basic of fraud
      Make the user trigger billable
       events
...
The economic risks
            Fraud against
           user/corporate
   Induct users to access content through:
     S...
The economic risks

         Security of mobile
                     banking
                           g


   Very h
   ...
Mobile Security
              y
  Conclusion




Mobile Security - Fabio Pietrosanti - www.privatewave.com   61
Conclusion
           Enterprise mobile
           security policies?
   Still not widely diffused
       Lacks of gener...
Conclusion
    New challenges require
       new approach
   Mobile manufacturer, Mobile OS provider and
    Carriers sho...
Upcoming SlideShare
Loading in...5
×

Mobile security - Intense overview

3,699

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,699
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
199
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Mobile security - Intense overview"

  1. 1. Mobile Security Intense overview of mobile security threat prepared by Fabio Pietrosanti, CTO @ PrivateWave
  2. 2. Mobile S M bil Security it Introduction Mobile Security - Fabio Pietrosanti - www.privatewave.com 2
  3. 3. Introduction Mobile phones today bil h d  Mobile phones have changed our life in the past 15 years (GSM & CDMA)  Mobile phones became the most personal and private item we own  Mobile smartphones have changed our digital life in the past 5 years  Growing computational power of “phones”  Diffusion of high speed mobile data networks  Real operating systems run on smartphones Mobile Security - Fabio Pietrosanti - www.privatewave.com 3
  4. 4. Introduction Mobile phones today Mobile Security - Fabio Pietrosanti - www.privatewave.com 4
  5. 5. Introduction It’s something personal hi l  Mobile phones have become the th most personal and private t l d i t item we own  You get out from home and you take:  House & car key  Portfolio  Mobile phone Mobile Security - Fabio Pietrosanti - www.privatewave.com 5
  6. 6. Introduction It’s It’ something critical thi iti l  phone call l h ll logs  Voice calls cross ll  addressbook through it (volatile  emails but b t non th t much) that h)  Corporate network  sms access  mobile browser  GPS tracking data history y  documents  calendar Mobile Security - Fabio Pietrosanti - www.privatewave.com 6
  7. 7. Mobile S M bil Security it Difference between mobile security & IT y security Mobile Security - Fabio Pietrosanti - www.privatewave.com 7
  8. 8. Difference between mobile security & IT Security Too much trust  Trust between operators  Trust between the user and the operators  Trust between the user and the phone p  Still low awareness of users on security risks Mobile Security - Fabio Pietrosanti - www.privatewave.com 8
  9. 9. Difference between mobile security & IT Security Too difficult to deal with  Low level communication protocols/networks are closed (security through entrance barrier)  Too many heterogeneous technologies, no single way to secure it  Diffused trusted security but not homogeneous use of trusted capabilities  Reduced detection capability of attack & trojan Mobile Security - Fabio Pietrosanti - www.privatewave.com 9
  10. 10. Difference between mobile security & IT Security Too many sw/hw T /h p platforms  Nokia S60 smartphones  Symbian/OS coming from Epoc age (psion)  Apple iPhone  iPhone OS - Darwin based, as Mac OS X - Unix  RIM Blackberry l kb  RIMOS – proprietary from RIM  Windows Mobile (various manufacturer)  Windows Mobile (coming from heritage of PocketPC)  Google Android  Linux Android (unix with custom java based user operating environment) Mobile Security - Fabio Pietrosanti - www.privatewave.com 10
  11. 11. Difference between mobile security & IT Security Vulnerability management  Patching mobile operating system is difficult  Carrier often builds custom firmware, it’s at their costs and not vendors vendors’  Only some environments provide easy OTA software upgrades  Almost very few control from enterprise provisioning and patch management perspective  Drivers often are not in hand of OS Vendor  Basend Processor runs another OS  Assume that some phones will j p just remain buggy ggy Mobile Security - Fabio Pietrosanti - www.privatewave.com 11
  12. 12. Difference between mobile security & IT Security Vulnerability count V l bilit t Source: iSec Mobile Security - Fabio Pietrosanti - www.privatewave.com 12
  13. 13. Mobile Security Mobile Device Security Mobile Security - Fabio Pietrosanti - www.privatewave.com 13
  14. 14. Mobile Device Security Devices access and authority  All those subject share authority on the device  OS Vendor/Manufacturer (2)  Carrier (1)  User  Application Developer (1) Etisalat operator-wide spyware installation for Blackberry http://www.theregister.co.uk/2009/07/14/blackberry_snooping/ h // h i k/2009/0 / /bl kb i / (2) Blackberry banned by France government for spying risks http://news.bbc.co.uk/2/hi/business/6221146.stm ttp // e s bbc co u / / /bus ess/6 6 st Mobile Security - Fabio Pietrosanti - www.privatewave.com 14
  15. 15. Mobile Device Security Reduced security by hw design  Poor keyboard ->  Poor password Type a passphrase: P4rtyn%!ter.nd@ 01 P4rtyn%!ter nd@’01 Mobile Security - Fabio Pietrosanti - www.privatewave.com 15
  16. 16. Mobile Device Security Reduced security by hw design  Poor screen, poor control  User diagnostic capabilities are reduced. No easy checking of f what’s going on  Critical situation where user analysis is required, required difficult to be handled (SS , (SSL, Email) a ) Mobile Security - Fabio Pietrosanti - www.privatewave.com 16
  17. 17. Mobile Device Security Mobile security model – old school  Windows Mobile and Blackberry application  A th Authorization b d on di it l signing of i ti based digital i i f application  Everything or nothing  With or without permission requests  Limited access to filesystem  No granular permission fine tuning Cracking Blackberry security model with 100$ key http://securitywatch.eweek.com/exploits_and_attacks/cracking_the_blackberry_with_ a_100_key.html Mobile Security - Fabio Pietrosanti - www.privatewave.com 17
  18. 18. Mobile Device Security Mobile security model – old school but Enterprise  Windows Mobile 6.1 (SCMDM) and Blackberry (BES)  Deep profiling of security features for centrally managed devices dd i - Able to download/execute external application - Able to use different data networks - Force device PIN protection - Force device encryption (BB) y - Profile access to connectivity resources (BB) Mobile Security - Fabio Pietrosanti - www.privatewave.com 18
  19. 19. Mobile Device Security Mobile security model – iPhone  Heritage of OS X Security model  Centralized distribution method: appstore  Technical application publishing policy pp p gp y  Non-technical application publishing policy AppStore “is” a security feature is  NO serious enterprise security provisioning Mobile Security - Fabio Pietrosanti - www.privatewave.com 19
  20. 20. Mobile Device Security Mobile security model – Android / Symbian  Sandbox based approach (data caging)  Users h U have ti ht control on application permissions tight t l li ti i i  Symbian is so strict on digital signature enforcement but not on data confidentiality  Symbian requires different level of signature depending on capability usage p g p y g  Android supports digital signing with self-signed certificates but keep java security model  A lot of third party security applications  NO serious enterprise security provisioning Mobile Security - Fabio Pietrosanti - www.privatewave.com 20
  21. 21. Mobile Device Security Brew & NucleOS B N l OS  Application is provided *exclusively* from manufacturer and from operator  Delivery is OTA through application portal of operator  Full trust to carrier Mobile Security - Fabio Pietrosanti - www.privatewave.com 21
  22. 22. Mobile Device Security Development language security  Development l D l t language/sdk security f t / dk it features support are extremely relevant to increase difficulties in exploiting Blackberry RIMOS J2ME MIDP 2.0 No native code Iphone Objective-C NX Stack/heap protection Windows Mobile Wi d M bil .NET / C++ NET GS enhanced security h d it Nokia/Symbian C++ Enhanced memory management Android/Linux Java & NDK Java security model Mobile Security - Fabio Pietrosanti - www.privatewave.com 22
  23. 23. Mobile Security y Mobile Hacking & Attack vector Mobile Security - Fabio Pietrosanti - www.privatewave.com 23
  24. 24. Mobile Hacking & Attack Vector Mobile security research  Mobile security research exponentially increased in past 2 years  DEFCON (USA), BlackHat (USA, Europe, Japan), CCC(DE), ShmooCon (USA), YSTS (BR), HITB (Malaysia), CansecWest (CAN), S (C ) EuSecWest)NL, G S( ) Ekoparty (AR), DeepSec ) GTS(BR), k ( ) S (AT) *CLCERT data  Hacking environment is taking much more interests and attention to mobile hacking  Dedicated security community:  TSTF.net , Mseclab , Tam hanna Mobile Security - Fabio Pietrosanti - www.privatewave.com 24
  25. 25. Mobile Hacking & Attack Vector Mobile security research - 2008  DEFCON 16 - Taking Back your Cellphone Alexander Lash  BH DC / BH Europe – Intercepting Mobile Phone/GSM Traffic David Hulton, Steve–  BH Europe - M bil Phone Spying T l Jarno Niemelä– E Mobile Ph S i Tools J Ni lä  BH USA - Mobile Phone Messaging Anti-Forensics Zane Lackey, Luis Miras  Ekoparty - S Ek t Smartphones (i ) t h (in)security Nicolas E it Ni l Economou, Alf d O t Alfredo Ortega  BH Japan - Exploiting Symbian OS in mobile devices Collin Mulliner–  GTS-12 - iPhone and iPod Touch Forensics Ivo Peixinho  25C3– Hacking the iPhone - M l N d pytey, planetbeing 25C3 H ki th iPh MuscleNerd, t l tb i  25C3 Locating Mobile Phones using SS7 – Tobias Engel– Anatomy of smartphone hardware Harald Welte  25C3 Running your own GSM network – H Welte, Dieter Spaar H. Welte  25C3 Attacking NFC mobile phones – Collin Mulliner Mobile Security - Fabio Pietrosanti - www.privatewave.com 25
  26. 26. Mobile Hacking & Attack Vector Mobile security research 2009 (1)  ShmooCon Building an All-Channel Bluetooth Monitor Michael Ossmann and Dominic Spill  ShmooCon Pulling a John Connor: Defeating Android Charlie Miller  BH USA– A USA Attacking SMS - Z ki Zane Lackey, Luis Miras – L k L i Mi  BH USA Premiere at YSTS 3.0 (BR)  BH USA Fuzzing the Phone in your Phone - Charlie Miller, Collin Mulliner M lli  BH USA Is Your Phone Pwned? - Kevin Mahaffey, Anthony Lineberry & John Hering–  BH USA Post Exploitation Bliss –  BH USA Loading Meterpreter on a Factory iPhone - Vincenzo Iozzo & Charlie Miller–  BH USA Exploratory Android Surgery - Jesse Burns  DEFCON 17– Jailbreaking and the Law of Reversing - Fred Von Lohmann, Jennifer Granick– Mobile Security - Fabio Pietrosanti - www.privatewave.com 26
  27. 27. Mobile Hacking & Attack Vector Mobile security research 2009 (2)  DEFCON 17 Hacking WITH the iPod Touch - Thomas Wilhelm  DEFCON 17 Attacking SMS. It's No Longer Your BFF - Brandon Dixon  DEFCON 17 Bluetooth, Smells Like Chicken - Dominic Spill, Michael Ossmann, Ossmann Mark Steward  BH Europe– Fun and Games with Mac OS X and iPhone Payloads - Charlie Miller and Vincenzo Iozzo–  BH Europe Hijacking Mobile Data Connections - Roberto Gassirà and Roberto Piccirillo–  BH Europe Passports Reloaded Goes Mobile - Jeroen van Beek  CanSecWest CanSecWest– The Smart Phones Nightmare Sergio 'shadown' Alvarez Smart-Phones shadown  CanSecWest - A Look at a Modern Mobile Security Model: Google's Android Jon Oberheide–  CanSecWest - Multiplatform iPhone/Android Shellcode, and other smart p , phone insecurities Alfredo Ortega and Nico Economou Mobile Security - Fabio Pietrosanti - www.privatewave.com 27
  28. 28. Mobile Hacking & Attack Vector Mobile security research 2009 (3)  EuSecWest - Pwning your grandmother's iPhone Charlie Miller–  HITB Malaysia - Bugs and Kisses: Spying on Blackberry Users for FunSheran Gunasekera YSTS 3 0 / Gunasekera– 3.0  HITB Malaysia - Hacking from the Restroom Bruno Gonçalves de Oliveira  PacSec - The Android Security Story: Challenges and Solutions for Secure Open Systems Rich Cannings & Alex Stamos  DeepSec - Security on the GSM Air Interface David Burgess, Harald Welte  DeepSec - Cracking GSM Encryption Karsten Nohl–  DeepSec - Hijacking Mobile Data Connections 2.0: Automated and Improved Roberto Piccirillo, Roberto Gassirà–  DeepSec - A practical DOS attack to the GSM network Dieter Spaar Mobile Security - Fabio Pietrosanti - www.privatewave.com 28
  29. 29. Mobile Hacking & Attack Vector Attack layers la ers  Mobile is attacked at following layers  Layer2 attacks (GSM, UMTS WiFi) (GSM UMTS,  Layer4 attacks (SMS/MMS interpreter)  La er7 attacks (Client side hacking) Layer7 Layer3 (TCP/IP) is generally protected by mobile operators by filtering inbound connections Mobile Security - Fabio Pietrosanti - www.privatewave.com 29
  30. 30. Mobile Hacking & Attack Vector Link layer security - GSM  GSM has been cracked with 2k USD hw equipment  http://reflextor.com/trac/a51 - A51 rainbowtable cracking software  http://www.airprobe.org - GSM interception software  http://www.gnuradio.org - Software defined radio  htt // http://www.ettus.com/products - tt / d t USRP2 – Cheap software radio Mobile Security - Fabio Pietrosanti - www.privatewave.com 30
  31. 31. Mobile Hacking & Attack Vector Link layer security - UMTS  1°UMTS (Kasumi) cracking paper by Israel s Weizmann Institute of Israel’s Science  http://www.theregister.co.uk/201 0/01/13/gsm_crypto_crack/  Still no public practical p p implementation  UMTS mode-only phones are not reliable Mobile Security - Fabio Pietrosanti - www.privatewave.com 31
  32. 32. Mobile Hacking & Attack Vector Link layer security – WiFi  All known attacks about WiFi  R Rogue AP DNS poisoning, AP, i i arp spoofing, man in the middle, middle WEP cracking, cracking WPA-PSK cracking, etc Mobile Security - Fabio Pietrosanti - www.privatewave.com 32
  33. 33. Mobile Hacking & Attack Vector Link layer security Rouge operators roaming  Telecommunication operators are trusted among each other (roaming agreements & brokers)  Operators can hijack almost everything of a mobile connections:  mobile connect whatever network is available  Today, becoming a mobile operators is quite easy in certain countries, trust, it’s a matter of money  Today the equipment to run an operator is cheap (OpenBTS & OpenBSC) p p p Mobile Security - Fabio Pietrosanti - www.privatewave.com 33
  34. 34. Mobile Hacking & Attack Vector MMS security  Good delivery system for malware (binary mime encoded attachments, like email)  Use just PUSH-SMS for notifications and HTTP & SMIL for MMS retrieval  “Abused” to send out confidential information (intelligence tool for dummies & for activist)  “Abused” to hack windows powered mobile devices  MMS remote Exploit (CCC Congress 2006) http://www.f-secure.com/weblog/archives/00001064.html http://www f secure com/weblog/archives/00001064 html  MMS spoofing & avoid billing attack  http://www.owasp.org/images/7/72/MMS_Spoofing.ppt p p g g p g pp  MMSC filters on certain attachments  Application filters on some mobile phones for DRM purposes Mobile Security - Fabio Pietrosanti - www.privatewave.com 34
  35. 35. Mobile Hacking & Attack Vector SMS security (1)  Only 160byte per SMS (concatenation support)  CLI spoofing is extremely easy  SMS interpreter exploit  i h iPhone SMS remote exploit l i http://news.cnet.com/8301-27080_3-10299378-245.html  SMS used to deliver web attacks  Service Loading (SL) primer  SMS mobile data hijacking through SMS provisioning  Send Wap PUSH OTA configuration message to configure DNS (little of social engineerings)  Redirection phishing mitm SSL attack protocol Redirection, phishing, mitm, attack, downgrade, etc, etc  SMSC filters sometimes applied, often bypassed pp yp Mobile Security - Fabio Pietrosanti - www.privatewave.com 35
  36. 36. Mobile Hacking & Attack Vector SMS security (2) Easy social engineering for provisioning SMS Thanks to Mobile Security Lab, http://www.mseclab.com Lab http://www mseclab com Mobile Security - Fabio Pietrosanti - www.privatewave.com 36
  37. 37. Mobile Hacking & Attack Vector Bluetooth Bl t th (1)  Bluetooth spamming (they call it, “mobile advertising”)  Bluetooth attacks let you:  initiate phone calls  send SMS to any number  read SMS from the phone p  read/write phonebook  set call forwards  connect to the internet  Bluesnarfing, bluebug, bluebugging http://trifinite.org/ http://trifinite org/  Bluetooth OBEX to send spyware Mobile Security - Fabio Pietrosanti - www.privatewave.com 37
  38. 38. Mobile Hacking & Attack Vector Bluetooth (2)  Bluetooth encryption has been cracked http://news.techworld.com/security/3797/bluet ooth-crack-gets-serious/  But bluetooth sniffers were expensive  So an hacked firmware of a bluetooth dongle made it accessible: 18$ bluetooth sniffer http://pcworld.about.com/od/wireless/Research er creates Bluetooth c.htm er-creates-Bluetooth-c htm  Bluetooth interception became feasible  Bluetooth SCO (audio flow to bluetooth headset) could let phone call interception Mobile Security - Fabio Pietrosanti - www.privatewave.com 38
  39. 39. Mobile Hacking & Attack Vector NFC – what’s that?  Near Field Communications  Diffused in Far East (Japan & China)  Estimated diffusion in Europe/North America: 2013  Estimated financial transaction market: 75bn  NFC Tech: 13.56mhz, data rates 106kbit/s, multiple rfid tags  NFC Tag transmit URI by proximily to the phone that prompts user f action given the protocol: for ti i th t l URI SMS TEL SMART Poster (ringone, application, network configuration)  NFC Tag data format is ndef  J2ME midlet installation is automatic, user is just asked after download Mobile Security - Fabio Pietrosanti - www.privatewave.com 39
  40. 40. Mobile Hacking & Attack Vector NFC – example use l  NFC Ticketing (Vienna’s public Ti k ti (Vi ’ bli  Vending machine NFC payment services)  Totem public tourist information Mobile Security - Fabio Pietrosanti - www.privatewave.com 40
  41. 41. Mobile Hacking & Attack Vector NFC - security  EUSecWest 2008: Hacking NFC mobile p g phones, the , NFCWorm http://events.ccc.de/congress/2008/Fahrplan/events/2639.en.html  URI Spoofing:  Hide URI pointed on user  NDEF WWorm  Infect tags, not phones  Spread by writing writable tags  Use URI spoofing to point to midlet application that are automatically downloaded y  SMS/TEL scam through Tag hijacking Mobile Security - Fabio Pietrosanti - www.privatewave.com 41
  42. 42. Mobile Hacking & Attack Vector Mobile Web Security - WAP  HTTPS i considered a secure protocol is id d t l  Robust and reliable based on digital certificate  WAP is often used by mobile phones because it has special rates and mobile operator wap portals are i l d bil l feature rich and provide value added contents  WAP security uses WTLS that acts as a proxy between a WAP client and a HTTPS server  WTLS in WAP browser breaks the end-to-end security nature of SSL in HTTPS  WAP 2 fix it, only modern devices and modern WAP gateway Mobile Security - Fabio Pietrosanti - www.privatewave.com 42
  43. 43. Mobile Hacking & Attack Vector Mobile Web Security – WEB  Most issues in end-to-end security  Attackers are facilitated  Phones send user-agent identifying precise mode  Some operator HTTP transparent proxy reveal to web server MSISDN and IMSI of the phone p  Mobile browser has to be small and fast but…  Mobile browser has to be compatible with existing p g web security technologies Mobile Security - Fabio Pietrosanti - www.privatewave.com 43
  44. 44. Mobile Hacking & Attack Vector Mobile Web Security – WEB/SSL  SSL is the basic security system used in web for HTTPS  It gets sever limitation for wide acceptance in mobile environment ( h i (where smartphone are j h just part of) f)  End-to-end break of security in WTLS  Not all available phones support it  Out of date Symmetric ciphers  Certificates problems (root CA)  Slow to start  Certificates verification problems Mobile Security - Fabio Pietrosanti - www.privatewave.com 44
  45. 45. Mobile Hacking & Attack Vector Mobile Web Security – SSL UI  Mobile M bil UI are not coherent when handling t h t h h dli SSL certificates and it may be impossible for an extremely tricky user to verify the HTTPS y y y information of the website  Details not always clear  From 4 to 6 click required to check SSL information  Information is not always consistent al a s  Transcoder makes the operator embed their custom trusted CA-root to be able CA root to do Main In the Middle while optimizing web for mobile Mobile Security - Fabio Pietrosanti - www.privatewave.com 45
  46. 46. Mobile Hacking & Attack Vector Mobile Web Security – Tnx to Rsnake & Masabi SSL UI Mobile Security - Fabio Pietrosanti - www.privatewave.com 46
  47. 47. Mobile Hacking & Attack Vector Mobile VPN  Mobile devices often need to access corporate networks  VPN security has slightly different concepts y g y p  User managed VPN (Mobile IPSec clients)  Operator Managed VPN (MPLS-like model with dedicated APN on 3G data networks) Authentication based on SIM card and/or with login/password d/ i hl i / d Mobile Security - Fabio Pietrosanti - www.privatewave.com 47
  48. 48. Mobile Hacking & Attack Vector Voice interception  Voice interception is the most known and p considered risks because of media coverage on legal & illegal wiretapping  I t Interception th ti through S h Spyware i j ti injection (250E)  Interception through GSM cracking (2000-150.000E)  Interception through Telco Hijacking (30.000E)  Approach depends on the technological skills of the attacker  Protection is not technologically easy Mobile Security - Fabio Pietrosanti - www.privatewave.com 48
  49. 49. Mobile Hacking & Attack Vector Location Based Services or Location Based Intelligence? (1)  New risks given by official and unofficial LBS technologies  GPS:  Cheap cross-platform powerful spyware software with geo tracking (http://www.flexispy.com) (htt // fl i )  Gps data in photo’s metadata (iphone)  Community based tracking (lifelook) Mobile Security - Fabio Pietrosanti - www.privatewave.com 49
  50. 50. Mobile Hacking & Attack Vector Location Based Services or Location Based Intelligence? (2)  HLR (Home Location Register) MSC lookup:  GSM network ask the network’s HLR’ t k k th t k’ HLR’s: where is the phone’s MSC?  Network answer: {"status":"OK","number":"123456789","imsi":"22002123456 7890","mcc":"220",”mnc":"02","msc":"13245100001",””msc _location”:”London,UK”,”operator_name”:” Orange ( ) , p (UK)”,”operator_country”:”UK”} _ y }  HLR Lookup services (50-100 EUR):  http://www.smssubmit.se/en/hlr- lookup.html l k ht l  http://www.routomessages.com Mobile Security - Fabio Pietrosanti - www.privatewave.com 50
  51. 51. Mobile Hacking & Attack Vector Mobile malware - spyware  Commercial spyware focus on information spying  Flexispy (cross-platform commercial spyware) Listen to an active phone call (CallInterception) Secretly read SMS, Call Logs, Email, Cell ID and make Spy Call Listen to the phone surrounding Secret GPS trackingg Highly stealth (user Undetectable in operation)  A lot small softwares made for lawful and unlawful use by many small companies Mobile Security - Fabio Pietrosanti - www.privatewave.com 51
  52. 52. Mobile Hacking & Attack Vector Mobile malware – virus/worm (1)  Worm  Still no cross-platform system  Mainly involved in phone fraud (SMS & Premium numbers)  Sometimes making d i ki damage  Often masked as useful application or sexy stuff  In July 2009 first mobile botnet for SMS spamming http://www.zdnet.co.uk/news/security-threats/2009/07/16/phone-trojan- http://www zdnet co uk/news/security threats/2009/07/16/phone trojan has-botnet-features-39684313/ Mobile Security - Fabio Pietrosanti - www.privatewave.com 52
  53. 53. Mobile Hacking & Attack Vector Mobile malware – virus/worm (2)  Malware full feature list Spreading via Bluetooth, MMS, Sending SMS messages, Infecting files, Enabling remote control of the smartphone, M dif i fil E bli l f h h Modifying or replacing icons or system applications, Installing "fake" or non- working fonts and applications, Combating antivirus programs, Installing th I t lli other malicious programs, Locking memory cards, li i L ki d Stealing data, Spreading via removable media (memory sticks) , Damaging user data, Disabling operating system security mechanisms, mechanisms Downloading other files from the Internet Calling Internet, paid services,Polymorphism Source: Karspersky Mobile Malware evolution http://www.viruslist.com/en/analysis?pubid=204792080 Mobile Security - Fabio Pietrosanti - www.privatewave.com 53
  54. 54. Mobile Hacking & Attack Vector Mobile Forensics  It's not just taking down SMS, photos and addressbook, but all the information ecosystem of the new phone  Like a new kind of computer to be analyzed, just more difficult  Require custom equipment q q p  Local data easy to be retrieved  Network data are not affordable, spoofing is concrete  More dedicated training course about mobile forensics bil f i Mobile Security - Fabio Pietrosanti - www.privatewave.com 54
  55. 55. Mobile Hacking & Attack Vector Extension of organization: The operator  Mobile operator customer service identify users by CLI & some personal data  Mix of social engineering & CLI spoofing let g g p g compromise of  Phone call logs (Without last 3 digits)  Denial of service (sim card blocking)  Voice mailbox access (not always) Mobile Security - Fabio Pietrosanti - www.privatewave.com 55
  56. 56. Mobile Hacking & Attack Vector Some near future scenarios  Real diffusion of cross-platform trojan targeting fraud (espionage already in p ( p g y place) )  Back to the era of mobile phone dialers  Welcome to the new era of mobile phishing  QR code phishing:  “Free mobile chat, meet girls” -> Free girls > http://tinyurl.com/aaa -> web mobile-dependent malware.  SMS spamming becomes aggressive Mobile Security - Fabio Pietrosanti - www.privatewave.com 56
  57. 57. Mobile Security y The economic risks TLC & Financial frauds Mobile Security - Fabio Pietrosanti - www.privatewave.com 57
  58. 58. The economic risks Basic of phone fraud  Basic of fraud  Make the user trigger billable events  Basics of cash-out  Subscriber billable communications SMS to premium number CALL premium number CALL international premium number DOWNLOAD content from wap t tf sites (wap billing) Mobile Security - Fabio Pietrosanti - www.privatewave.com 58
  59. 59. The economic risks Fraud against user/corporate  Induct users to access content through:  SMS spamming (Finnish & Italian cases)  MMS spamming  Web delivery of telephony related URL (sms:// tel://)  Bluetooth spamming/worm  Phone dialers back from the ‘90 modem 90 age Mobile Security - Fabio Pietrosanti - www.privatewave.com 59
  60. 60. The economic risks Security of mobile banking g  Very h heterogeneous approach to access & security: h  STK/SIM toolkit application mobile banking  M bil web mobile banking - powerful phishing Mobile b bil b ki f l hi hi  Application based mobile banking (preferred because of usability)  SMS banking (feedbacks / confirmation code) Mobile Security - Fabio Pietrosanti - www.privatewave.com 60
  61. 61. Mobile Security y Conclusion Mobile Security - Fabio Pietrosanti - www.privatewave.com 61
  62. 62. Conclusion Enterprise mobile security policies?  Still not widely diffused  Lacks of general knowledge about risk g g  Lacks of widely available cross-platform tools  Difficult to be effectively implemented y  Application protection and privileges cannot be finely tuned across different platforms in the same way  The only action taken usually is anti-theft and device- specific security services (such as Blackberry application provisioning/protection & data encryption) Mobile Security - Fabio Pietrosanti - www.privatewave.com 62
  63. 63. Conclusion New challenges require new approach  Mobile manufacturer, Mobile OS provider and Carriers should agree on true common standards for f securityi  Antifraud systems must be proactive and new technology sho ld secure “by-design” technolog should sec re “b design”  Enterprises should press the market and, large ITSec vendors should push on manufacturer & operators for homogeneous security solutions  We should expect even more important attacks soon Mobile Security - Fabio Pietrosanti - www.privatewave.com 63
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×